Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws_secretsmanager: Secret fails if it ends with a hyphen and 6 digit like "-[0-9a-f]{6}" #27530

Closed
zhahaoyu opened this issue Oct 13, 2023 · 2 comments
Closed

aws_secretsmanager: Secret fails if it ends with a hyphen and 6 digit like "-[0-9a-f]{6}" #27530

zhahaoyu opened this issue Oct 13, 2023 · 2 comments
Labels
@aws-cdk/aws-secretsmanager Related to AWS Secrets Manager

Comments

@zhahaoyu
Copy link

Describe the bug

I have spent hours debugging this issue and finally found this bug.

When a secret is created with a name ending "-[0-9a-f]{6}", for my specific examples, I named the secret "xyz-secret" and "xyz-google".

When I used it as a secret for my LoadBalancedApplicationService, it keeps getting AccessDeniedException, but the secret with fewer digit works just fine.

                        secrets: {
                            SECRET1: aws_ecs.Secret.fromSecretsManager(
                                aws_secretsmanager.Secret.fromSecretNameV2(this,
                                    'SEC1',
                                    `xyz-secret`)),
                            SECRET1: aws_ecs.Secret.fromSecretsManager(
                                aws_secretsmanager.Secret.fromSecretNameV2(this,
                                    'SEC2',
                                    `xyz-creds`)),

I am suspecting that there is a hard-coded rule somewhere that makes a special treatment for "-[0-9a-f]{6}".

Expected Behavior

It should work fine

Current Behavior

It reports AccessDeniedException

Reproduction Steps

  1. Create a secret ending "-secret"
  2. Inject it to LoadBalancedApplicationService
  3. Observe

Possible Solution

  1. (best) Fix the hard-coded logic to treat the last 6 digit differently, or
  2. Enforce naming requirement not to have "-[0-9a-f]{6}" when a secret is being created, or
  3. Fix CDK

Additional Information/Context

No response

CDK CLI Version

2.99.1 (build b2a895e)

Framework Version

No response

Node.js Version

16

OS

mac os

Language

TypeScript

Language Version

No response

Other information

No response
@zhahaoyu zhahaoyu added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Oct 13, 2023
@github-actions github-actions bot added the @aws-cdk/aws-secretsmanager Related to AWS Secrets Manager label Oct 13, 2023
@peterwoodworth peterwoodworth removed bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Oct 13, 2023
@peterwoodworth
Copy link
Contributor

Thanks for the bug report, the docs call this out and say to use fromSecretCompleteArn() instead

https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_secretsmanager.Secret.html#static-fromwbrsecretwbrnamewbrv2scope-id-secretname

@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

@github-actions github-actions bot mentioned this issue Nov 1, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-secretsmanager Related to AWS Secrets Manager
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@zhahaoyu @peterwoodworth